Azure Active Directory API始终显示禁止消息

debugcn 发表于 Dev

拉吉什S

我是使用Azure Active Directory实施的初学者。我有一个带有Azure Active Directory保护的WEB API（.net核心）。我正在尝试通过邮递员使用我的WEB API，我知道它需要Auth2令牌才能使用Web API。我已经按照此文档链接生成了auth2令牌。

生成Auth2令牌后，在标头中添加auth2令牌，例如，Authorization: Bearer e....但结果始终显示如下图所示。

我确定我会在“ API权限”部分中提供所需的权限，并且在Azure Portal中“权限类型”是“委派的权限”。

请参阅我的启动课程：

public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc(o =>
        {
            o.Filters.Add(new AuthorizeFilter("default"));
        }).SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

        services.AddAuthorization(o =>
        {
            o.AddPolicy("default", policy =>
            {
                // Require the basic "Access app-name" claim by default
                policy.RequireClaim(DotNetCoreApiSample.Authorization.Constants.ScopeClaimType, "user_impersonation");
            });
        });

        services
            .AddAuthentication(o =>
            {
                o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
            })
            .AddJwtBearer(o =>
            {
                o.Authority = Configuration["Authentication:Authority"];
                o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                {
                    // Both App ID URI and client id are valid audiences in the access token
                    ValidAudiences = new List<string>
                    {
                    Configuration["Authentication:AppIdUri"],
                    Configuration["Authentication:ClientId"]
                    }
                };
            });
        // Add claims transformation to split the scope claim value
        services.AddSingleton<IClaimsTransformation, AzureAdScopeClaimTransformation>();
    }

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        // Very important that this is before MVC (or anything that will require authentication)
        app.UseAuthentication();

        app.UseMvc();
    }
}

沉

根据我的测试，一旦配置了策略，就可以使用作用域{your resource url}/user_impersonation要求访问令牌，然后可以使用访问令牌调用应用程序。否则，您将收到403错误。请通过链接检查您的访问令牌，以确保您的范围

在此处输入图片说明

我的测试代码如下1。 Stratup.cs




 public void ConfigureServices(IServiceCollection services)
        {
            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
            var tenatId = Configuration["AzureAd:TenantId"];
              services
             .AddAuthentication(o =>
             {
                 o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
             })
             .AddJwtBearer(o =>
             {
                 o.Authority = "https://login.microsoftonline.com/<tenant id>/v2.0";
                 o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                 {




                     ValidIssuers = new[] {
                     "https://sts.windows.net/<tenant id>/",
                  "https://login.microsoftonline.com/<tenant id>/v2.0"



                     },
                    // Both App ID URI and client id are valid audiences in the access token
                    ValidAudiences = new List<string>
                     {
                    "<app id>",
                    "<app id url>"
                     }
                 };
             });
            services.AddAuthorization(o =>
            {
                o.AddPolicy("default", policy =>
                {
                  policy.RequireClaim("http://schemas.microsoft.com/identity/claims/scope", "user_impersonation");
                });
            });
        }



        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseHsts();
            }
            app.UseAuthentication();



            app.UseHttpsRedirection();
            app.UseMvc();
        }

测试

一种。获取访问令牌

b。调用api

本文收集自互联网，转载请注明来源。

如有侵权，请联系[email protected] 删除。

编辑于2021-04-2

我来说两句

0条评论

登录后参与评论

来自分类Dev

Related 相关文章

文章

Azure Active Directory API始终显示禁止消息

Azure Active Directory API始终显示禁止消息

Azure Active Directory角色

外部API调用使用Azure Active Directory保护的我的API

Azure Active Directory和OWIN

无法加入Azure Active Directory

如何访问Azure Active Directory？

与 Azure Active Directory 之间的迁移

无法删除 Azure Active Directory

ACS75005“该请求不是有效的SAML2协议消息。” 当我使用SAML连接到Windows Azure Active Directory时始终显示

通过Rest调用查询Windows Azure Active Directory图Api

Querying the Windows Azure Active Directory Graph Api by Rest Call

Web API 401重定向Azure Active Directory OpenIdConnect

Azure Active Directory API中的错误重定向URI

通过Rest调用查询Windows Azure Active Directory图Api

Azure服务查询Azure Active Directory

使用Azure Active Directory Oauth的Azure Service Management API身份验证

使用Azure Active Directory Oauth的Azure Service Management API身份验证

Azure Active Directory验证Azure之外的Web Api中的访问令牌

Windows Azure Active Directory-refreshtoken到期

如何从订阅中删除Azure Active Directory

具有Azure Active Directory的ActiveDirectoryMembershipProvider

Azure Active Directory连接字符串

验证Azure Active Directory中的域名

Azure Active Directory分配的用户被忽略

Azure Active Directory帐户锁定阈值

在Azure Active Directory中使用Authorize属性

是否可以从Azure SQL查询Active Directory

查找Azure Active Directory的设置日期

管理Windows Azure Active Directory用户的工具

将Windows Azure Pack与Active Directory集成